From owner-freebsd-arch Fri Feb 14 22:24:26 2003 Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28D6337B401 for ; Fri, 14 Feb 2003 22:24:25 -0800 (PST) Received: from cirb503493.alcatel.com.au (c18609.belrs1.nsw.optusnet.com.au [210.49.80.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10CA143FBF for ; Fri, 14 Feb 2003 22:24:24 -0800 (PST) (envelope-from peterjeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1]) by cirb503493.alcatel.com.au (8.12.5/8.12.5) with ESMTP id h1F6OGLZ060454; Sat, 15 Feb 2003 17:24:20 +1100 (EST) (envelope-from jeremyp@cirb503493.alcatel.com.au) Received: (from jeremyp@localhost) by cirb503493.alcatel.com.au (8.12.6/8.12.5/Submit) id h1F6OA7D060451; Sat, 15 Feb 2003 17:24:10 +1100 (EST) Date: Sat, 15 Feb 2003 17:24:10 +1100 From: Peter Jeremy To: Terry Lambert Cc: arch@FreeBSD.ORG Subject: Re: syslog.conf syntax change (multiple program/host specifications) Message-ID: <20030215062410.GB60369@cirb503493.alcatel.com.au> References: <20030210114930.GB90800@melusine.cuivre.fr.eu.org> <20030213174531.GZ83215@roark.gnf.org> <20030213184309.GA53098@melusine.cuivre.fr.eu.org> <200302141100.23529.wes@softweyr.com> <20030214220145.GM83215@roark.gnf.org> <3E4D7C2B.DDFC9DBE@mindspring.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E4D7C2B.DDFC9DBE@mindspring.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Feb 14, 2003 at 03:30:51PM -0800, Terry Lambert wrote: >Only newsyslog is stupid. > >No matter what options you gave it, the first thing it would do is >the moral equivalent of -F. > >So instead of a 60M Samba log file "/var/log/samba", you ended up >with a "/var/log/samba.1" that was 60M, and a "/var/log/samba" >that was empty. I'm not sure this is "stupid" in all cases. Definitely, if you have the situation where newsyslog fails to run for an extended period, this is a problem. OTOH, if syslog is running normally and there is a massive burst of log activity (eg an attack) then you could lose older logs. This might make it easier for an attacker to destroy evidence of what they did - you know something happened because you have a pile of syslogs full of rubbish, but you don't know exactly what because the earliest syslogs have rotated out of existence. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message